Hacker-Proofing your Applications
 

Every day, new vulnerabilities are discovered in mission-critical application software. Attackers, exploiting these flaws, cost businesses millions of dollars yearly. Patches are developed and (sometimes) applied; yet the attacks and losses continue. The only way to stem the tide of loss is to build security into applications from the start. This course shows how to do just that.

Starting by discussing, then demonstrating the common security flaws in application code, the course moves on to show how to avoid these flaws using secure programming principles and practices.

Many application arenas are covered, including web-based, 3-tier and database.

Topics Covered:

•          Learn how insecure application code is exploited by attackers
•          Learn the principles of secure application design
•          Learn how to build strong authentication and authorization into
           your apps
•          Learn how to protect sensitive data from
           unauthorized disclosure
•          Learn how to foil attacks embedded in user input
•          Learn how to safely store and manage access to sensitive data
           stored in databases
•          Learn about buffer and stack overflow attacks
           and how to prevent them

Duration: 3 days

Delivery: Class lecture

Audience: 

Those responsible for designing, writing, testing, deploying and maintaining application code on UNIX, Windows or Mainframes.

Prerequisites: Experience in application design and development

Outline:

1.      Application Security – Why Bother?

          Penetrate and Patch – Why it's not enough
          Why worry about security in the design and build stage?
          The cost and tradeoffs of producing secure apps
          The cost of NOT producing secure apps 

2.      Elements of Secure Application Software

Stop Depending on the Firewall!
Authentication·
Authorization
Integrity
Availability
Privacy
Nonrepudiation

 3.      Never Trust the Input - The Process of Input Validation

         What can happen when you don't validate
         Buffer/Stack overflows
          Format string attacks
          Cross-site scripting
          Preventing OS command injection
          Preventing SQL hijacking
          Guarding against metacharacters
          Coping with UNICODE
          Sanitizing URL encoding
          Guarding against null characters

4.      Protecting Against Parameter Manipulation

          What can happen if you don't guard against parameter                       manipulation
          Cookie manipulation
          Form field manipulation
          URL manipulation

 5.      Designing Strong Authentication and Access Control

          How weak authentication and authorization can be exploited
          Strong passwords
          Securely storing authentication credentials
          Guarding against password sniffing
          Foiling brute-force and dictionary attacks

 6.      Session Management

          The Exposures of Weak Session Management
          Strong session management principles
          Avoiding clear-text data
          Preventing session replay
          Preventing session hi-jacking 

7.      Handling Sensitive Data

          What can happen with poor data-handling practices
          Guidelines for storing sensitive data in databases
          Segregating the data

8.      Using Cryptography

          The dangers of weak encryption
          Overview of current use of cryptography
          Choosing an encryption algorithm
          Using cryptography effectively
          Encrypting hard-coded credentials 

9.      Configuration Management

          What can happen when it's done poorly
          Classpath mis-configuration
          Default accounts
          Default services
          File Permissions
          Privileged apps
          Sample apps

10.   Spying on Your Apps

          How attackers gather info about your apps to use in
                 subsequent attacks
          Client-side comments
          Browser cache / history
          Account Enumeration
          Debugging commands
          Error messages

11.    Tools to Help Produce Secure Apps

          Wisker
          ISS Database Scanner
          Overflow checkers